b'                       National Archives and Records Administration\n                                                                                                8601 Adelphi Road\n                                                                               College Park, Maryland 20740-6001\n\n\nDate       : August 18, 2010\nReply to\nAttn of    : Office of Inspector General (OIG)\n\nSubject    : Advisory Report No. 10-16, No Alternative Back-up Site for the Electronic Records\n             Archives System\n\nTo         : David S. Ferriero, Archivist of the United States (N)\n\n            The National Archives and Records Administration (NARA) expended over $2.8 million\n            dollars 1 to lease space at the Stennis Space Center 2 in Mississippi that was never put to use.\n            Originally Congress provided funds for NARA to begin working with the Naval\n            Oceanographic Office at Stennis, and the facility was to serve as the primary site for the\n            Electronic Records Archives (ERA) System. However, the primary ERA site shifted to\n            Rocket Center, West Virginia and the Stennis site was never utilized as either the primary or\n            back-up ERA site. Thus, over $2.8 million was expended for leased space that was never\n            used, and NARA continues to lack an alternative ERA back-up site.\n\n            ERA represents the largest information technology project ever undertaken by NARA. Due\n            to the risk factors involved, the OIG has dedicated resources to provide oversight over the\n            program. This report represents our ongoing effort in this regard. In our ERA effort dated\n            April 29, 2010, entitled \xe2\x80\x9cInadequate Contingency Planning for the Electronic Records\n            Archives System,\xe2\x80\x9d the OIG reported that ERA program officials had not adequately planned\n            for a long-term service disruption or outage should the ERA System and its primary site\n            become unavailable. The ERA, a major information system, is categorized as a high impact\n            system requiring such functionality as defined by the National Institute of Standards and\n            Technology\xe2\x80\x99s (NIST) 3. Specifically, the OIG report defined that (1) the ERA Business\n            Impact Analysis (BIA) is incomplete and lacks current system information such as points of\n            contact along with their respective roles, recovery priorities, and specific resources with the\n            respective allowable outage time for each; (2) ERA officials cannot define nor illustrate that\n            the ERA System (in its entirety) can be successfully restored from back-up tapes; and\n            specific to this report (3) the ERA Program does not have an alternative back-up site. Thus,\n            if the primary ERA site was subject to prolonged disruption users would be unable to access\n            the system and data residing in ERA.\n\n            The Interagency Agreement (IAA) between NARA and the Naval Meteorology and\n            Oceanography Command at the Stennis Space Center was entered into on June 20, 2006 and\n            initially funded by Congress with a FY 2006 budget earmark. According to the prior ERA\n1\n  See Attachment A for a schedule of payments.\n2\n  The John C. Stennis Space Center is a NASA facility located in southern Mississippi.\n3\n  See Attachment B for a more detailed description of security related criteria.\n\x0cProgram Director, no one at NARA had any involvement in or knowledge of this funding\nbefore it was added it to the appropriation. Prior to this, NARA had decided in principle that\nat least one complete copy of all the records preserved in ERA had to be in a facility\ncontrolled by the Government. According to the NARA official, given the Congressional\ndirection and the established capabilities at Stennis for hosting and protecting government\ncomputers, NARA decided to use the earmark to locate the primary site for the ERA System\nat Stennis. However, this never came to fruition.\n\nThe primary site is now located in West Virginia. The former ERA Program Director also\nstated that before NARA reached the stage of actually installing any hardware at Stennis, the\nCongress, through the office of Senator Byrd, gave NARA the option of locating primary\nERA functionality at the Allegany Ballistics Lab in Rocket Center, West Virginia. Per ERA\nofficials, the Rocket Center offered substantial cost avoidance advantages over the Stennis\nlocation. However, these officials defined that NARA opted to retain Stennis as a back-up\nsite. Unfortunately, Stennis has never met the definition of a back-up site, as there is and has\nnever been any ERA equipment at the site. Further, no ERA personnel have ever resided on-\nsite at that location. In fact, even if NARA did expedite shipping equipment there in an\nemergency, it would take several weeks for the system to be installed and usable. Figures 1\nand 2 below show the empty space paid for by NARA. The few cabinets in the room are\nresidual, containing power supply feeds, etc., and do not hold any NARA equipment.\n\n\n\n\n                       Figure 1                                        Figure 2\n\nNARA\xe2\x80\x99s 2008 Performance Budget Congressional Justification stated that by the beginning\nof 2008, there would be an ERA operational site in West Virginia and a back-up site in\nMississippi, which together would be capable of accepting and securely storing Presidential\nand Federal government electronic records. These sites were also to provide basic\npreservation, search, and retrieval capability for unclassified and Sensitive But Unclassified\nrecords from NARA\xe2\x80\x99s existing holdings and initially from four Federal agencies. When\nasked why hardware had not been installed at Stennis the former ERA Program Director\nresponded there was never an appropriation for a back-up system. He stated the 2008 budget\nlanguage was finalized in March 2007, prior to Lockheed Martin Corporation (the ERA\nsystems development contractor) admitting they would not be able to meet the schedule for\ninitial operating capability in the fall of that year. At that time, the expectation was there\nwould be enough funds available to establish a back-up capability at Stennis.\n\n\n                                             2\n                        National Archives and Records Administration\n\x0cTo date, NARA has paid $2,862,357 for space at the Stennis Space Center. The initial\nearmark was for $2 million, but a NARA budget official stated it was reduced by 1%\n($20,000). According to an ERA Program Office official, there were no additional earmarks\nfor Stennis after the initial one. She stated there were annual obligations from the ERA\nappropriations for support/Operations & Maintenance of the Stennis site. These funds\ntotaled $882,357. In December 2009, NARA notified the Naval Meteorology and\nOceanography Command that it would not be exercising the next option year, thereby\nterminating the agreement with Stennis on June 20, 2010.\n\nTo adequately plan for a long-term service disruption, ERA officials need to have a\ncontingency plan in place that includes an alternative back-up site for the ERA System\nshould its primary processing site be unavailable. In the event of a disaster, NARA may not\nbe able to fulfill its mission and provide Federal users, as well as the public, access to critical\nelectronic records. We will continue to monitor the contingency planning process for the\nERA System and report back to you on a periodic basis.\n\nThis project was part of our on-going effort to review NARA\xe2\x80\x99s development and\nimplementation of the ERA. Our review effort consisted primarily of reviewing applicable\nERA documentation such as the ERA System Security Plan, Contingency Plan, the IAA with\nthe Commander, Naval Meteorology and Oceanography Command, ERA Congressional\nBudget Justifications; and interviews with responsible ERA Program Office officials and\nother appropriate officials. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nIf you have any questions concerning the information presented in this report, please e-mail\nMr. James Springs or me, or call us at extension 73000.\n\n\n\n\nPaul Brachfeld\nInspector General\n\n\ncc: NH (C. Piercy)\n\n\n\n\n                                              3\n                         National Archives and Records Administration\n\x0c                                                      Attachment A\n\n\n\nSchedule of Payments Made for the Stennis Facility\n\n\n\n  Payment Date                    Payment Amount\n  December 21, 2006               $1,743,274.50\n  December 21, 2006                  160,000.00\n  January 11, 2007                    25,000.00\n  January 11, 2007                    56,725.50\n  August 18, 2008                      2,153.41\n  September 12, 2008                     760.03\n  October 15, 2008                       771.57\n  October 23, 2008                    26,264.42\n  November 14, 2008                    3,977.31\n  January 14, 2009                    61,278.78\n  February 11, 2009                   85,796.24\n  February 11, 2009                    8,123.37\n  March 11, 2009                       2,773.20\n  August 13, 2009                     29,620.42\n  September 14, 2009                   1,817.45\n  December 17, 2009                   12,800.00\n  February 4, 2010                     2,951.70\n  February 10, 2010                   14,952.11\n  April 5, 2010                      184,847.80\n  April 12, 2010                     438,469.02\n  Totals                          $2,862,356.83\n\n\n\n\n                            4\n       National Archives and Records Administration\n\x0c                                                                              Attachment B\n\n\n\n               Security-Related Criteria for Security Categorization\n                      and Minimum Security Requirements\n\nThe Federal Information Processing Standards (FIPS) Publication 199, entitled \xe2\x80\x9cStandards\nfor Security Categorization of Federal Information and Information Systems\xe2\x80\x9d requires\nagencies to categorize their information systems based on the potential impact on an\norganization should certain events occur which jeopardize the information and information\nsystems needed by the organization to accomplish its assigned mission, protect its assets,\nfulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.\nInformation systems are to be categorized as low-impact, moderate-impact, or high-impact\nfor the security objectives of confidentiality, integrity, and availability. The potential impact\nvalues assigned to the respective security objectives are the highest values (i.e., high water\nmark) from among the security categories that have been determined for each type of\ninformation resident on those information systems. The ERA System\xe2\x80\x99s security objectives\nare categorized as high for confidentiality and integrity, and moderate for availability.\nTherefore, the ERA is defined as a high-impact information system since at least one of its\nsecurity objectives is high.\n\nFIPS Publication 200, entitled \xe2\x80\x9cMinimum Security Requirements for Federal Information\nand Information Systems\xe2\x80\x9d establishes minimum security requirements for the following 17\nsecurity-related areas based on the designated impact level of the information system.\n\nAccess Control\nAwareness and Training\nAudit and Accountability\nCertification, Accreditation, and Security Assessments\nConfiguration Management\nContingency Planning\nIdentification and Authentication\nIncident Response\nMaintenance\nMedia Protection\nPhysical and Environmental Protection\nPlanning\nPersonnel Security\nRisk Assessment\nSystems and Services Acquisition\nSystem and Communications Protection\nSystem and Information Integrity\n\n\n\n\n                                             5\n                        National Archives and Records Administration\n\x0cFor high-impact information systems, organizations must, as a minimum, employ\nappropriately tailored security controls from the high baseline of security controls defined in\nNIST Special Publication 800-53 entitled \xe2\x80\x9cRecommended Security Controls for Federal\nInformation Systems and Organizations\xe2\x80\x9d and must ensure that the minimum assurance\nrequirements associated with the high baseline are satisfied.\n\nNARA\xe2\x80\x99s Information Technology (IT) Security Policies and IT Security Requirements are\nbased on NIST Special Publication 800-53 and identify 17 families of controls that comprise\nthe minimum set of security control required by all federal information or information\nsystems. Within the Contingency Planning Control family, one of the controls is for an\nalternate processing site. NARA\xe2\x80\x99s IT Security Requirement for this control states:\n\n\xe2\x80\x9cFor moderate or high availability information systems, NARA shall identify an alternative\nprocessing site and initiate necessary agreements to permit the resumption of information\nsystem operations for critical mission or business functions within the timeframe defined in\nthe approved Continuity of Operations Plan or Disaster Recovery Plan when either plan is\ninvoked.\xe2\x80\x9d\n\n\n\n\n                                             6\n                        National Archives and Records Administration\n\x0c'